How to map MITRE ATT&CK against security controls
Created in 2013, the MITRE ATT&CK® framework gave us a clear picture of online attack techniques and tactics. Perhaps for the first time, it shone a light on the behaviors of shadowy attack groups and described them using a framework that is easy to navigate and understand. Now, we have a playbook that shows us how attackers work, from high-level tactics to specific procedures.
That’s great, but how can we map that attack information to our defenses?
Security teams deal with vast, complex infrastructures that need sophisticated security controls. The ATT&CK playbook of common techniques, tactics and procedures (TTPs) can help them protect those systems with the most appropriate security controls. When an attack occurs, the TTPs in the ATT&CK matrices can help them to better understand the incident and use that knowledge to improve their security.
MITRE ATT&CK mapping against security controls
To make these comparisons, security professionals must map the ATT&CK matrices to specific defense frameworks, infrastructure security controls or real-world attack incidents.
As Jon Baker says, that’s a daunting prospect. The director of R&D at MITRE’s Center for Threat-Informed Defense (CTID) Challenges points out that security control frameworks are complex and adversaries evolve quickly. That makes mappings “often error prone and difficult to maintain,” he warns.
The CTID is the research and development arm of MITRE’s Engenuity foundation for public good. It has been promoting the adoption of ATT&CK by working with government and private sector organizations to map it against other assets.
Some of the CTID’s work shows just how complex mapping can be. In December, it released mappings between ATT&CK and the National Institute of Standards and Technology (NIST) Special Publication 800-53, a set of general security and privacy controls. There are over 6,300 mappings between ATT&CK’s TTPs and the NIST framework.
The NIST document is technology-neutral, but specific products and product categories have their own security controls. Containers — the small-footprint kernel-sharing virtualized environments typically managed by Kubernetes — are a case in point, bringing their own security challenges. The CTID worked with Microsoft and others to launch the MITRE ATT&CK for Containers matrix in April.
Similarly, cloud computing platforms have specific security controls that require their own attack mappings. The CTID worked with partners to create a set of attack mappings relating to security controls in Microsoft’s Azure cloud platform in June.
MITRE ATT&CK mapping against security incident reports
Security professionals can also improve their security controls by learning from attackers’ actions after real-world security incidents. Mapping ATT&CK against security incident reports is a useful way to extract valuable intelligence that you can use to improve your security.
In June, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a set of best practices for mapping the ATT&CK framework against incident reports. Its advice is helpful whether mapping ATT&CK against incident reports or security control frameworks. It highlights the need for peer review. Mapping is such a complex and subjective process that it pays to have a second set of eyes to verify your findings and catch any relationships you might have missed.
Documenting MITRE ATT&CK mapping with ATT&CK Navigator
Beginning your mapping journey involves using the right tools. One indispensable piece of software is ATT&CK Navigator. This open-source MITRE utility enables you to document correlations between ATT&CK TTPs and other data, including security controls.
The Azure ATT&CK mappings include security control mappings specified in the popular YAML format. An accompanying tool uses the appropriate YAML files for an organization’s cloud deployment to create tailored ATT&CK Navigator files.
DIY MITRE ATT&CK mapping
While mapping MITRE ATT&CK to security controls might be a complex undertaking, MITRE offers tooling to help organizations do it themselves. It has published its methodology, which walks organizations through four steps:
- Reviewing ATT&CK mitigations
- Reviewing ATT&CK techniques the mitigation prevents
- Identifying candidate security controls to see how well they match to the mitigation
- Creating a mapping between the control and the ATT&CK technique
The Python-based software tools supporting the methodology use the Structured Threat Information Expression (STIX) language to represent both the controls and the mappings. This is an industry-standard format for sharing threat intelligence information. Security professionals can use it to build ATT&CK Navigator layers and exchange their mapping information directly.
The industry has accomplished a lot in mapping the ATT&CK framework against security controls, but there is much work yet to do. The mappings so far seem to concentrate on the ATT&CK Enterprise matrix. There’s plenty of opportunity to fill out not only this area, but also the Mobile and ICS matrices.
The tooling and methodology to create custom mappings are available for free. Hopefully, organizations will continue to collaborate on a corpus of off-the-shelf mappings that will make MITRE ATT&CK even more useful for defenders and help to encourage widespread adoption.
- ATT&CK mappings for Azure, Microsoft
- Microsoft ATT&CK mappings for containers, Microsoft
- ATT&CK mapping overview, MITRE
- Best practices for MITRE ATT&CK® mapping, CISA
- Mapping methodology, CTID
- Security control framework mappings to ATT&CK, CTID